Data Protection Policy

Version 2.1 from 09.01.2024

On this page you will find information about our data handling. If you have any questions, please contact our secretary.

We discuss data security continuously in the board (new regulations, new technical possibilities etc.). We try to protect the security of the data as good as possible.

We can be reached as follows:

Association Legalize it!, Quellenstrasse 25, 8005 Zurich

079 581 90 44,

Sven Schendekehl (Secretary, Board Member)

1 Receiving data

We receive data from interested parties or new members via our form on (encrypted), by e-mail (both via our internet provider hostpoint as well as via our internet service provider GGA), by phone (via Swisscom), by letter (via Swiss Post) or in the case of a personal contact. The e-mails and telephone calls are not encrypted (except by telephone via Threema or WhatsApp; letter mail is subject to postal secrecy).

Our provider hostpoint as well as our internet provider GGA are obliged to store certain marginal data of the e-mails, the web accesses, the DNS requests and the file transfers for six months. Our telephone provider Swisscom must also store the connection data for six months. We have no influence on this.

Regarding the web page calls of our we refer to our Cookie Policy. We do not personalize this data and only use it for anonymous access statistics.

We gladly accept facsimiles of legal documents for publication on our website In doing so, we anonymize the personal information of the person(s) charged, convicted or acquitted with measures.

Our board communicates with each other in person at meetings, by phone, by email and via a Threema group. In addition, we use our online meeting room at Whereby. Virtual attendance at our member meetings also runs through this. The content is not recorded unless all participants of a meeting want this.

2 Managing data

Access to our self-created database on FileMaker is given to two members of the board. This local database is password protected and resides on an encrypted computer (Mac). Backups are also stored in encrypted form. We make every effort to perform operating system updates (macOS, iOS) as well as updates to the applications (see underlined words) as soon as we learn about them and it is possible in terms of work organization. We have no influence on the applications at our external service providers (see slanted words).

We maintain the received data in our database. On the one hand, we store the necessary data:

  • First name(s), last name(s), if applicable company name and address suffix, address, postal code and city
  • We record whether an address represents an individual, an organization from the hemp scene, a service provider of ours, an information medium or a social/political institution.
  • We record the type of support (subscription, private membership, corporate membership) and until when it lasts or, in the case of interested parties, that they are not yet a member. After a termination of support, we record this and, if applicable, the communicated reason for it.

We do, on the other hand, collect voluntary data when it is provided to us:

  • We collect specific information (for example, skills, interests, cooperation with corrections, offers to help with events, etc., if shared with us).
  • Those who wish can also provide their e-mail address(es) (it is necessary for the delivery of our e-mailing) as well as one or more telephone numbers.

We collect the following additional data:

We receive payments via our payment service provider Postfinance. When paying by credit card (Mastercard and Visa via Stripe via Donorbox), the amount also reaches us via Postfinance. With TWINT it runs via RaiseNow and then to Postfinance. During these processes, data is stored by all these service providers, which we cannot influence.

In our database we record the incoming payments as well as the outgoing payments and track the membership period.

In addition to our database, we manage data in the following other locations:

We print out the payment receipts and keep them for 10 years. This retention period is required by law. We export the accounting lines from our database and import them into the Banana accounting software.

For our emailing mailings, we export first names and surnames or company names, member numbers and the e-mail address and transfer these in encrypted form to our own mailing program at Exoscale. From there, our program sends the emails via our emailing provider hostpoint. Immediately after e-mailing, we delete this information from our program.

We also perform emailing directly on our mail program via hostpoint (where we also receive and process everyday mail ). As usual, this creates data traces that we cannot influence. We keep important mails indefinitely, check them once or twice a year and delete them when they are no longer necessary. The other mails we keep for one year, then we delete them from the server.

On our file server at Tresorit we have only very few data about persons, besides the data for the e-mailing assemblies: For example, minutes of our association meetings with attendance lists and requests to speak, or lists of helpers at events. Our file server is also encrypted and so is the access to it. Only the board members have access. The provider Tresorit has no access to this data.

On our association phone (iPhone from Apple), we sometimes record the names to a phone number. This list is synchronized with our computer via iCloud from Apple. Otherwise, we do not make backups or data transfers via Apple's server. Details that reach us via WhatsApp are of course also stored there. Information that reaches us via Threema goes through the corresponding server. All these data flows should be encrypted. SMS, on the other hand, can probably be read by all mobile providers involved (Swisscom on our side).

Access to the association phone is given to our secretary. During events he can also hand it over to board members. We regularly create encrypted backups on our local computer.

About every three months we print out the addresses of members and interested parties on the envelopes of our mailing (which are sent with the current issue of our association magazine and/or the current issue of our legal aid brochure and other information). These envelopes are handed over to the Swiss Post and delivered by them. In the process, scans will probably be made for sorting purposes, which we cannot influence. The envelopes are kept neutral by us.

Except for the few transactions listed above, we do not transfer data to others, either electronically or physically. If a member wishes to contact another, the interested member may instruct us to send his/her data to the other member with a note to please contact.

Note: Generally, all electronic requests create data trails not only on our end, but also on the devices of the sending individuals and their providers.

Data of employees with salary payment

If an employment contract exists, we need to record more data of these persons than in our database: We additionally need the date of birth as well as the AHV number, the gender, the degree of employment, the duration of employment (from… to…) and any other information. We store these in our salary overview on the Numbers spreadsheet.

We have to report the gross income of each employee annually to the AHV (SVA Zurich) as well as to the BVG (Nest Sammelstiftung), as well as the gross income as a whole to the daily sickness benefit insurance (Zurich Insurance Company) as well as to the accident insurance (Solida Insurance) and if necessary to our insurance broker (sennest). In the case of accidents or illnesses covered or processed by these companies, further information must also be provided (for example, last date of work - this varies greatly depending on the case; such data must be kept at least until the case is closed).

3 Deleting data

Anyone who would like his or her information deleted can contact our secretary. We can:

  • in our database, reduce the name, address and city to the first letter and delete the e-mail address and phone number(s).
  • delete special entries (member until…, further details etc.).
  • search our email inventory and delete all emails.
  • search our file server and delete any entries there.
  • search our association phone and delete combox messages, call ads, SMS, WhatsApp and Threema messages there.

We cannot delete data if it contains contracts or relevant business information (we must keep such information for 10 years for legal reasons). For example, we cannot delete incoming and outgoing payments because we have to keep them for 10 years.

4 General

Depending on the development of the legal situation, we may have to change or extend this data protection policy. We provide the respectively valid document on our in the footer.

Last modified: 2024/03/27 08:56

Share page: facebook X (Twitter)